fix v1beta2 k8s policy generation

Co-authored-by: Daniel Eisenberg <danielei@checkpoint.com>

build_system/docker/entry.sh

@@ -15,6 +15,21 @@ var_mode=
 var_token=
 var_ignore=
 init=
+active_watchdog_pid=
+
+cleanup() {
+    local signal="$1"
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Signal ${signal} was received, exiting gracefully..." >&2
+    if [ -n "${active_watchdog_pid}" ] && ps -p ${active_watchdog_pid} > /dev/null 2>&1; then
+        kill -TERM ${active_watchdog_pid} 2>/dev/null || true
+        wait ${active_watchdog_pid} 2>/dev/null || true
+    fi
+    echo "Cleanup completed. Exiting now." >&2
+    exit 0
+}
+
+trap 'cleanup SIGTERM' SIGTERM
+trap 'cleanup SIGINT' SIGINT
 
 if [ ! -f /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT ]; then
     echo "Error: agent installation package doesn't exist."

components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc

@@ -515,60 +515,63 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
 }
 // LCOV_EXCL_STOP
 
-std::tuple<Maybe<AppsecLinuxPolicy>, Maybe<V1beta2AppsecLinuxPolicy>>
+tuple<Maybe<AppsecLinuxPolicy>, Maybe<V1beta2AppsecLinuxPolicy>>
 K8sPolicyUtils::createAppsecPolicyK8s(const string &policy_name, const string &ingress_mode) const
 {
-    auto maybe_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<AppsecPolicySpec>>(
-        "/apis/openappsec.io/v1beta1/policies/" + policy_name
+    string ns_suffix = getAppSecScopeType() == "namespaced" ? "ns" : "";
+    string ns = getAppSecScopeType() == "namespaced" ? "namespaces/" : "";
+    auto maybe_v1beta2_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<NewAppsecPolicySpec>>(
+        "/apis/openappsec.io/v1beta2/" + ns + agent_ns + "policies" + ns_suffix + "/" + policy_name
     );
 
-    if (!maybe_appsec_policy_spec.ok() ||
-        maybe_appsec_policy_spec.unpack().getApiVersion().find("v1beta1") == std::string::npos
+    if (!maybe_v1beta2_appsec_policy_spec.ok() ||
+        maybe_v1beta2_appsec_policy_spec.unpack().getApiVersion().find("v1beta2") == std::string::npos
     ) {
         try {
-            std::string v1beta1_error =
-                maybe_appsec_policy_spec.ok() ? "There is no v1beta1 policy" : maybe_appsec_policy_spec.getErr();
+            string policy_error = maybe_v1beta2_appsec_policy_spec.getErr();
+            string v1beta2_error =
+                maybe_v1beta2_appsec_policy_spec.ok() ? "There is no v1beta2 policy" : policy_error;
             dbgWarning(D_LOCAL_POLICY
             ) << "Failed to retrieve Appsec policy with crds version: v1beta1, Trying version: v1beta2";
-            string ns_suffix = getAppSecScopeType() == "namespaced" ? "ns" : "";
-            string ns = getAppSecScopeType() == "namespaced" ? "namespaces/" : "";
-            auto maybe_v1beta2_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<NewAppsecPolicySpec>>(
-                "/apis/openappsec.io/v1beta2/" + ns + agent_ns + "policies" + ns_suffix + "/" + policy_name
+            auto maybe_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<AppsecPolicySpec>>(
+                "/apis/openappsec.io/v1beta1/policies/" + policy_name
             );
 
-            if (!maybe_v1beta2_appsec_policy_spec.ok()) {
+            if (!maybe_appsec_policy_spec.ok()) {
                 dbgWarning(D_LOCAL_POLICY)
-                    << "Failed to retrieve AppSec policy. Error: " << maybe_v1beta2_appsec_policy_spec.getErr();
+                    << "Failed to retrieve AppSec policy. Error: " << maybe_appsec_policy_spec.getErr();
                 return std::make_tuple(
-                    genError("Failed to retrieve AppSec v1beta1 policy. Error: " + v1beta1_error),
+                    genError("Failed to retrieve AppSec v1beta1 policy. Error: " + maybe_appsec_policy_spec.getErr()),
                     genError(
-                        "Failed to retrieve AppSec v1beta2 policy. Error: " + maybe_v1beta2_appsec_policy_spec.getErr()
+                        "Failed to retrieve AppSec v1beta2 policy. Error: " + v1beta2_error
                     )
                 );
             }
             return std::make_tuple(
-                genError("There is no v1beta1 policy"),
-                createAppsecPolicyK8sFromV1beta2Crds(maybe_v1beta2_appsec_policy_spec.unpack(), ingress_mode)
+                createAppsecPolicyK8sFromV1beta1Crds(maybe_appsec_policy_spec.unpack(), ingress_mode),
+                genError("There is no v1beta2 policy")
             );
+
         } catch (const PolicyGenException &e) {
             dbgDebug(D_LOCAL_POLICY) << "Failed in policy generation. Error: " << e.what();
-            return std::make_tuple(
+            return make_tuple(
                 genError("There is no v1beta1 policy"),
                 genError("Failed to retrieve AppSec v1beta2 policy. Error: " + string(e.what()))
             );
         }
     }
 
-    return std::make_tuple(
-        createAppsecPolicyK8sFromV1beta1Crds(maybe_appsec_policy_spec.unpack(), ingress_mode),
-        genError("There is no v1beta2 policy"));
+    return make_tuple(
+        genError("There is no v1beta1 policy"),
+        createAppsecPolicyK8sFromV1beta2Crds(maybe_v1beta2_appsec_policy_spec.unpack(), ingress_mode)
+    );
 }
 
 template<class T, class K>
 void
 K8sPolicyUtils::createPolicyFromIngress(
     T &appsec_policy,
-    map<std::string, T> &policies,
+    map<string, T> &policies,
     map<AnnotationKeys, string> &annotations_values,
     const SingleIngressData &item) const
 {
@@ -608,7 +611,7 @@ template<class T, class K>
 void
 K8sPolicyUtils::createPolicyFromActivation(
     T &appsec_policy,
-    map<std::string, T> &policies,
+    map<string, T> &policies,
     const EnabledPolicy &policy) const
 {
     if (policies.find(policy.getName()) == policies.end()) {

components/security_apps/orchestration/orchestration_comp.cc

@@ -1522,6 +1522,12 @@ private:
 
         agent_data_report << make_pair("registeredServer", i_agent_details->getRegisteredServer());
 
+        const char *prometheus_env = getenv("PROMETHEUS");
+        if (prometheus_env != nullptr) {
+            auto enable_prometheus = string(prometheus_env) == "true";
+            agent_data_report << AgentReportFieldWithLabel("enablePrometheus", enable_prometheus ? "true" : "false");
+        }
+
 #if defined(gaia) || defined(smb)
         if (i_details_resolver->compareCheckpointVersion(8100, greater_equal<int>())) {
             agent_data_report << AgentReportFieldWithLabel("isCheckpointVersionGER81", "true");
@@ -2272,4 +2278,4 @@ OrchestrationComp::preload()
     registerExpectedSetting<uint>("successUpgradeInterval");
     registerExpectedConfigFile("orchestration", Config::ConfigFileType::Policy);
     registerExpectedConfigFile("registration-data", Config::ConfigFileType::Policy);
-}
+}

components/security_apps/orchestration/update_communication/fog_authenticator.cc

@@ -227,6 +227,11 @@ FogAuthenticator::registerAgent(
 
     request << make_pair("userEdition", getUserEdition());
 
+    const char *prometheus_env = getenv("PROMETHEUS");
+    if (prometheus_env != nullptr) {
+        request << make_pair("enablePrometheus", string(prometheus_env) == "true" ? "true" : "false");
+    }
+
     if (getDeplymentType() == "Docker" || getDeplymentType() == "K8S") {
         const char *image_version_otp = getenv("IMAGE_VERSION");
         if (image_version_otp) {

config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta1.yaml

@@ -40,7 +40,7 @@ spec:
         stdout:
             format: json
         cef-service: []
---
+---
 apiVersion: openappsec.io/v1beta1
 kind: Practice
 metadata:
@@ -56,7 +56,7 @@ spec:
   web-attacks:
     minimum-confidence: high
     override-mode: detect-learn
---
+---
 apiVersion: openappsec.io/v1beta1
 kind: CustomResponse
 metadata:

config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml

@@ -40,7 +40,7 @@ spec:
         stdout:
             format: json
         cef-service: []
---
+---
 apiVersion: openappsec.io/v1beta1
 kind: Practice
 metadata:
@@ -56,7 +56,7 @@ spec:
   web-attacks:
     minimum-confidence: high
     override-mode: prevent-learn
---
+---
 apiVersion: openappsec.io/v1beta1
 kind: CustomResponse
 metadata:

deployment/docker-compose/apisix/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid apisix configuration for APISIX in standalone mode in the following file:
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/apisix/docker-compose.yaml

@@ -103,14 +103,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: always
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/envoy/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid envoy.yaml Envoy configuration file present in the path below.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/envoy/docker-compose.yaml

@@ -109,14 +109,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/kong-lua-plugin/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/kong-lua-plugin/docker-compose.yaml

@@ -106,14 +106,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/kong/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/kong/docker-compose.yaml

@@ -106,14 +106,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/nginx-proxy-manager-centrally-managed/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 # Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file 
 NPM_DATA=./data

deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml

@@ -103,14 +103,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/nginx-proxy-manager/.env

@@ -21,6 +21,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 # Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file 
 NPM_DATA=./data

deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml

@@ -106,14 +106,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/nginx-unified/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/nginx-unified/docker-compose.yaml

@@ -96,14 +96,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/nginx/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/nginx/docker-compose.yaml

@@ -108,14 +108,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/swag/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Most relevant SWAG parameters have been moved here as well allowing configuration via .env file 
 SWAG_CONFIG=./swag-config

deployment/docker-compose/swag/docker-compose.yaml

@@ -117,14 +117,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/nginx/.env

@@ -15,6 +15,7 @@ USER_EMAIL=user@email.com
 DB_PASSWORD=pass
 DB_USER=postgres
 DB_HOST=appsec-db
+POSTGRES_VERSION=18
 POSTGRES_STORAGE=./postgres-data
 NGINX_CONF_DIR=./nginx-proxy-config
 

deployment/nginx/docker-compose.yaml

@@ -81,14 +81,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${POSTGRES_VERSION}
     container_name: appsec-db
     restart: always
     environment:
       - POSTGRES_PASSWORD=${DB_PASSWORD}
       - POSTGRES_USER=${DB_USER} 
     volumes:
-      - ${POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
 ##

nodes/orchestration/package/orchestration_package.sh

@@ -209,6 +209,9 @@ save_local_policy_config()
 if [ -n "${CP_ENV_FILESYSTEM}" ] ; then
     export FILESYSTEM_PATH=$CP_ENV_FILESYSTEM
 fi
+if [ -n "${PROMETHEUS}" ] ; then
+    export PROMETHEUS=$PROMETHEUS
+fi
 if [ -n "${CP_ENV_LOG_FILE}" ] ; then
     LOG_FILE_PATH=$CP_ENV_LOG_FILE
 fi
@@ -433,7 +436,7 @@ if command -v which &>/dev/null; then
     var_which_cmd_exists=1
 fi
 
-if [ $var_arch != "gaia" ] && [ $var_arch != "gaia_arm" ] && [ $var_which_cmd_exists -eq 1 ]; then 
+if [ $var_arch != "gaia" ] && [ $var_arch != "gaia_arm" ] && [ $var_which_cmd_exists -eq 1 ]; then
     if [ -n "$(which systemctl)" ]; then
         var_startup_service="systemd"
     else
@@ -974,7 +977,7 @@ install_orchestration()
         fi
         ${INSTALL_COMMAND} lib/*.so* ${USR_LIB_PATH}/
         ${INSTALL_COMMAND} lib/boost/*.so* ${USR_LIB_PATH}/
-        cp_print "Done successfully doing only unpacking lib64 to Path: ${USR_LIB_PATH}" ${FORCE_STDOUT}	
+        cp_print "Done successfully doing only unpacking lib64 to Path: ${USR_LIB_PATH}" ${FORCE_STDOUT}
         exit 0
     fi
 
@@ -1149,6 +1152,9 @@ install_orchestration()
 		if [ -n "${FILESYSTEM_PATH}" ]; then
 			echo "CP_ENV_FILESYSTEM=${FILESYSTEM_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
 		fi
+        if [ -n "${PROMETHEUS}" ]; then
+            echo "PROMETHEUS=${PROMETHEUS}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
+        fi
 		if [ -n "${VS_ID}" ]; then
 			echo "CP_VS_ID=${VS_ID}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
 		fi

nodes/orchestration/package/watchdog/watchdog

@@ -115,6 +115,11 @@ load_paths()
     if [ -n "${CP_ENV_LOG_FILE}" ]; then
         LOG_FILE_PATH=$CP_ENV_LOG_FILE
     fi
+
+    if [ -n "${PROMETHEUS}" ]; then
+        export PROMETHEUS=$PROMETHEUS
+    fi
+
     if [ -n "${CP_VS_ID}" ]; then
         VS_ID=${CP_VS_ID}
         VS_EVAL_PREFIX="ip netns exec CTX0000${VS_ID} env"